I noticed that information about described error (securesecret.com) are retrieved from first (default) vhost configuration listening on that (443) port. I can add fake vhost to obscure these information but I think this is very inelegant.
–
vizzdoomNov 21 '11 at 22:54

3 Answers
3

While the other two answers are good, this is the way you can actually solve the problem.

To get around the problems of dual homing identified by @bstpierre and @Thomas Pornin you can use an extra IP address and separate Apache configs.

You can launch a separate Apache instance on the secure IP address to host the securesecret domain (both http and https) and the one and two domains will operate on the other Apache instance and IP addresses just using http.

Of course, you might have difficulty getting the new IP address from your provider and routing and configuring your server, but you need to determine the cost/benefit for yourself.

Even if I get a proper 400 doc, I'll still get a cert that is signed for securesecret.com.
–
StrangeWillNov 23 '11 at 21:00

1

@StrangeWill: While I agree with the principle of what you're saying ("there's no way to keep the server name a secret"), the OP is doing an http request to port 443. The server won't send back a cert, just an error page. Try doing echo 'GET / HTTP/1.0' | nc -q 10 secure.example.com 443.
–
bstpierreNov 23 '11 at 21:58

Ah good catch, yeah, no cert for you in that case.
–
StrangeWillNov 24 '11 at 2:18

You cannot really hide the domain name, because if someone connects to the port 443 of your server and begins initiating a SSL connection, your server will respond by sending his certificate... which contains the server name.

Actually, the client may send the intended client name as part of a Server Name Indication, which is a rather recent extension which is not supported everywhere (Internet Explorer on Windows XP will not send it, it requires IE 8 and Vista or later). The server may theoretically wait for an explicit SNI before sending his certificate; however, both the SNI and the certificate will travel unencrypted at this point, so the server name cannot be considered as really secret. And you cannot realistically mandate a SNI from clients right now (maybe in five years, when the current crop of WinXP has mostly died out...).

Also, the server name is part of the data which the DNS sends to whoever asks, on a regular basis, and without any encryption. A server name is definitely not a secret.

Thanks for professional help. I know that domain name is not a secret, but it can be part of (ugly ;) ) security through obscurity. I only do not want that user of one domain get information about another domain hosted in the same IP address (reverse IP scanners etc.)
–
vizzdoomNov 21 '11 at 22:47